At checkout they looked at me like I was up to no good when I said I didn’t want to give them my name, address, and phone number just to purchase the device. I didn’t set up a plan. They said it was for “restocking” or something.
Fortunately they accepted obviously fake info. These front line sales people just don’t care as long as they can say they followed the policy.
The user containers are very helpful. I have to have TikTok for work and I put it in a container all by itself with a vpn on kill switch. And for one app that needs google play services, I have it a container with that.
The duress passcode is super clever, too. You enter a different device passcode and it just wipes the device.
I use a google account for convenience for some purposes, and host my own email (out of principle, not exactly super interesting material). It would be nice if when I enter the 'duress' password it erased everything except the gmail related activity.
A physical pop-up? The online google store requires a google account that has your personal info already..
That's a thing in the US? Here, clerks in various stores ask me for postal code but nothing else and I could refuse giving that info.
You mean different user accounts? Those are available on stock Android, too.
Our more prominent 2-factor fingerprint authentication feature is also relevant when switching between users a lot.
I'm sorry but what? Your job demands what apps you have installed on your PRIVATE phone!?
Edit: "experts" > "workers"
Although GrapheneOS puts a lot of work into sandboxing and protecting against Google Play, don't assume that you have to go that direction.
An alternative direction, if you wish, is to simply minimize the set of apps you use. And maybe it turns out that you don't really need anything from Google Play.
For example, I limit myself to a few open source apps (e.g., email, TOTP authenticator, maps, calendaring).
Anything else, either I don't need to do it from my phone, or I can get by with the Web site version of it in the phone's Web browser.
I also recently went through and deleted some open source apps that were a good idea to try, and which initially seemed like a good idea to keep on hand, but that I really wasn't using, and didn't expect to use without opportunity to reinstall them, so were just clutter and risk (e.g., Matrix, XMPP, Signal).
I'm not using GrapheneOS (I am unwilling to give Google money directly), but I did recently move to my second Android phone after having been a decade-plus iPhone user.
When I got my first Android phone I decided to "sideload" all non-stock software on the phone. I never have setup a Google Play account. I kept all the APKs for the software I loaded over the three years I used the old phone.
When I got the new phone I loaded all the software I use day-to-day and imported my SMS, contacts, and call logs using a nice FOSS app[0]. It felt remarkably like moving to a new PC does. It was nice.
You definitely don't need Google Play to get a lot of functionality. I have run into a number of apps that I can't get to "sideload" (basically any xapk-packaged apps) but I don't need any of the badly enough to care.
I am really sad Google is ending this moving forward. Jackasses.
The biggest factor that forced upgrading was poor call quality on the dumbphones I tried. (And this was really forced by bombing a particular important phone call because I couldn't be understood well.)
Then, once I found a smartphone that I kinda liked (GrapheneOS, after Apple sold out on surveillance), there were reasons to start carrying it. Rather than simply keeping it in a drawer at home.
But fortunately not sufficient reason so far to go full Google Play.
Email, Web, maps, authenticator, camera, and calls are all things I sometimes could use when out.
Though I normally don't have to have any of those, but I've been experimenting with it for a year or so, and seeing whether it's worthwhile.
Sure it's cool you can turn off google play, but I found myself having to go into the menus and through the six or seven clicks to turn google play back on at least daily.
I found the profile feature to be only slightly more convenient than having two physical devices. I could not find any real use for it. I thought I'd set up a work profile to attach to my work gsuite account. Nope, unsupported. I can't attach my work google account at all. Maybe I can just put all my google play dependent apps in a profile? Sure, but to get to them is just about as convenient as rebooting the phone from cold. And notifications are not forwarded to other profiles. If an event happens in another profile, you get a notification that there is a notification. You still have to drop everything to reboot into the other profile to check that you got an emote reaction to your Discord message. Great use of my time.
The entire thing seems like theater designed to show everyone that they're doing absolutely everything to be Secure, and user experience is a tertiary concern at most.
Graphene is not an OS for normal people to use. It's designed as an OS for nerds who want to nerd about how "secure" and "private" their device is, irrespective of how usable it is.
Again, I tried for months to like it. Once I realized the security features were really only one step removed from having two devices, I just gave up. I'd rather be able to use my device the way I want than to be "secure" and only use my phone the way Google wants. Sorry, I meant Graphene.
Given the choice between two third party entities dictating to me how I'm allowed to use my own device, I'd rather just use lineage and make my own choices.
I don't want my OS to coddle me and lock me into padded playpens, I want it to get the hell out of my way and do exactly what I tell it to, even if that action is not in line with what some unknown third party thinks is in my best interest. It's my device, not google's, and certainly not Graphene's.
This just isn't true. Switching profiles is nothing like rebooting the phone. It takes about 8 seconds to go thru the entire procedure. That's including about 3 seconds to load the 2nd profile (even an unloaded profile). The procedure on my Pixel 7 goes:
- Swipe down to open the Notification Panel
- Swipe down again to expand the Quick Settings
- Tap the User icon at the bottom
- Select the user profile you want to open
- Wait 3 seconds
- Enter the 2nd user's PIN to log in
That's 4 taps + 3 seconds of load time.
Apart from having to tweak some location permissions for when I wanted to copy the BankID credentials from my old phone I haven't had to any tweaking or anything to get it to just work.
Google Play and associated services are not bundled with GrapheneOS, they are completely optional.
> I found the profile feature to be only slightly more convenient than having two physical devices.
User Profiles is a feature inherited from AOSP. This is what AOSP says about the feature: "Android supports multiple users on a single Android device by separating user accounts and app data. For instance, parents might allow their children to use the family tablet, a family can share an automobile, or a critical response team might share a mobile device for on-call duty."
In the community it is popular to use multiple profiles to compartmentalise personas or group apps with hard google service dependencies together, but this is all completely optional. GrapheneOS as a project gently suggest keeping everything in the same initial owner profile and then moving things around to suit your comfort level.
> It's my device, not google's, and certainly not Graphene's.
You've clearly endured a lot of frustration when using the OS. Are there any specific things you remember trying to do that were blocked or prevented by GrapheneOS? It's not a project with unlimited resources, but actionable information about limitations and bugs can potentially be addressed if known.
#!/data/data/com.termux/files/usr/bin/bash
PACKAGE="com.google.android.gms com.google.android.gms.policy_sidecar_aps com.google.android.gsf com.android.vending"
PATH="/data/data/com.termux/files/usr/bin:$PATH"
command=$(echo "$0"|cut -d: -f2)
pman () {
action=$1
shift
for package in $@; do
sudo pm $action $package
done
}
case $command in
disable|enable)
pman $command $PACKAGE
;;
*)
echo "command '$command' not supported"
;;
esac
exit 0
Notice that the script can enable/disable multiple packages by adding package names to the $PACKAGES variable.
I enable and disable things like Google Services manually but the scheme can be extended as much as you wish, eg. by creating spin lock files to indicate whether a specific package is needed as a dependency for another package. This is left as an exercise for the reader.
Disabling Google Play apps as you're describing will heavily break other apps and will cause lots of issues. It will not reduce what they can do or access. It's not an alternative to the privacy or security features provided by GrapheneOS. What the person above is describing has little to do with GrapheneOS specifically and doesn't make sense as an approach to using it.
Recommend reading https://grapheneos.org/features and looking at https://eylenburg.github.io/android_comparison.htm for an understanding of what GrapheneOS provides.
Shizuku helps normal apps to use system APIs without root. You can enable it with from a computer with adb or from the phone itself using wireless debugging. Hail uses Shizuku's API access and lets you select apps to freeze. You can then unfreeze / refreeze apps with a quick tap in Hail.
If you already have root, all this becomes easier. If you do the wireless debugging method, Shizuku's API access won't survive a reboot. You'll have to go thru the wireless debugging procedure again before you can use Hail. https://shizuku.rikka.app/guide/setup/
https://eylenburg.github.io/android_comparison.htm
/e/ regularly lags many weeks and months behind on essentially privacy and security patches for Android, the browser engine used by many apps, the Linux kernel, drivers and firmware. It doesn't preserve the standard Android privacy and security model either. It isn't safe from a privacy or security perspective for those reasons. It doesn't take a nation state attacker to exploit not having patches for many known browser/OS privacy and security vulnerabilities.
Despite the misleading marketing, /e/ always uses multiple Google services and integrates them into the OS with privileged access unavailable to other services. They automatically download and run Google code with privileged access along with giving privileged access to certain Google apps when they're installed including Android Auto.
Article from Mike Kuketz about /e/ including covering user tracking in their update client, still using Google services with privileged integration into the OS and major delays for important privacy/security patches:
https://kuketz-blog.de/e-datenschutzfreundlich-bedeutet-nich...
Apple and Google both provide support for offline speech-to-text using local models. Apple uses it by default Users can configure it to be fully offline. /e/ sends the user's audio to OpenAI which is hidden away in their terms of service:
https://community.e.foundation/t/voice-to-text-feature-using...
Information from the founder of the Divested projects:
Issues with /e/: https://codeberg.org/divested-mobile/divestos-website/raw/co... ASB update history: https://web.archive.org/web/20241231003546/https://divestos.... Chromium update history: https://web.archive.org/web/20250119212018/https://divestos.... Chromium update summary: https://infosec.exchange/@divested/112815308307602739
I personally don't use the separate user profiles at all. I agree they are clunky, due to how segregated they are. though with a work profile, and if needed (I don't use it atm) the newly added android feature, a private space, I feel there are plenty of compartmentalisation/sandboxing options available within a single user profile.
There are no restrictions on what people can do added by GrapheneOS compared to the Android Open Source Project / stock Pixel OS.
> Sure it's cool you can turn off google play, but I found myself having to go into the menus and through the six or seven clicks to turn google play back on at least daily.
GrapheneOS doesn't come with Google Play. You would have had to install it yourself and those run as regular sandboxed apps with no special access. It doesn't make sense to turn it off and on which will break apps set up to depend on it. If you only want to use it with specific apps when needed, the right approach is using a dedicated profile for it. By turning it off, you were breaking apps installed in the same profile with it which use it.
Using a single profile with sandboxed Google Play is perfectly fine and doesn't ruin the privacy and security provided by GrapheneOS. Putting it into a separate profile is optional. Sandboxed Google Play are regular apps in the regular app sandbox with zero special access or privileges. Using multiple profiles to split things up is a more advanced approach.
> I found the profile feature to be only slightly more convenient than having two physical devices.
That's the purpose of secondary users. There are also the more convenient work profiles and Private Spaces. All 3 of these features are standard Android features. GrapheneOS enhances user profiles and Private Spaces in various ways but they're not at all mandatory and there's nothing pushing people to use them more than the stock OS. There's a widespread misconception that the sandboxing of sandboxed Google Play is tied to profiles but it's not.
> The entire thing seems like theater designed to show everyone that they're doing absolutely everything to be Secure, and user experience is a tertiary concern at most.
GrapheneOS deeply cares about user experience including app compatibility. We have limited resources so we haven't been able to replace or overhaul all of the AOSP apps yet, which is the main weakness of the out-of-the-box experience. Those can all be replaced by the user's choice of apps.
> Graphene is not an OS for normal people to use. It's designed as an OS for nerds who want to nerd about how "secure" and "private" their device is, irrespective of how usable it is.
No, not at all.
> Again, I tried for months to like it. Once I realized the security features were really only one step removed from having two devices, I just gave up. I'd rather be able to use my device the way I want than to be "secure" and only use my phone the way Google wants. Sorry, I meant Graphene.
Profiles are an Android feature, not a GrapheneOS feature, and only a tiny portion of our features have to do with them. The features page at https://grapheneos.org/features covers most of the features added by GrapheneOS, and very little of that has to do with profiles. It sounds like you chose to heavily use secondary users and didn't like that, which has little to do with GrapheneOS specifically.
> Given the choice between two third party entities dictating to me how I'm allowed to use my own device, I'd rather just use lineage and make my own choices. > > I don't want my OS to coddle me and lock me into padded playpens, I want it to get the hell out of my way and do exactly what I tell it to, even if that action is not in line with what some unknown third party thinks is in my best interest. It's my device, not google's, and certainly not Graphene's.
GrapheneOS did not create Android's user profile feature. It makes enhancements to it but it's not a major focus of what we work on. You aren't missing many of the GrapheneOS features if you don't use user profiles. Enabling more standard user profile functionality, notification forwarding, allowing more user profiles and a few other minor things are all we do with those. We have a substantial set of privacy and security features and nearly none of it has to do with profiles. Adding clipboard control to Private Space and enabling making Private Spaces in secondary users are how we improve those. Many GrapheneOS users only use an Owner user or Owner with a Private Space and/or work profile. Secondary users are a much more specialized thing. It's not expected that people split things across a bunch of secondary users, that's an advanced power user approach.
It really is sad that there isn't any ROM with Graphene's permission and sandboxing features while still leaving the user in control. IIRC it's theoretically possible since they publish the code, but one assumes it would be a non-trivial effort:\
See: github.com/chenxiaolong/avbroot
I don't know if there's any good solution to this, since all this seems to be necessary for the security model.
EDIT: Wait, isn't this what A/B partitions are for? (ie, you can brick one partition and still boot from the other) Also, shouldn't it be possible to flash an image signed with the correct keys without unlocking the bootloader and wiping the user data?
I dint understand why you insist on this massive risk to be laid on on everyone.
GOS publishes pretty detailed documentation. They don't explain step by step how to build an OS with root specifically, instead assuming that the users knowing the immense risks also have the skils they need to achieve it without handholding.
> GOS publishes pretty detailed documentation. They don't explain step by step how to build an OS with root specifically, instead assuming that the users knowing the immense risks also have the skils they need to achieve it without handholding.
It really sounds like you call it very easy, then promptly turn around and say that it's not easy but that's okay because it should be hard. You're also conflating the ability to assess security risks with the ability to build Android from source and modify it in the process, even though these skills are mostly unrelated.
> I dint understand why you insist on this massive risk to be laid on on everyone.
Largely, I don't agree that it's a "massive risk" in the first place. I don't believe that user-controlled root access is a problem, and I certainly don't believe that a default-off option to enable root access constitutes a problem.
Are you saying that the Qubes OS security model is worse than the GrapheneOS one?
Equating control to root is an outdated way of thinking that comes from a time before the principle of least privilege existed. The way UNIX did things should not be put on a pedestal.
There needs to be some escape hatch that you can use, even if your grandma doesn't have access to it.
It's true only if user is the threat for the user, e.g. a user with low IQ but high curiosity, but such user usually cannot install GrapheneOS.
In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn't work since persistent state is entirely trusted.
A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.
The same is true even of an operating system such as QubesOS. And it's a minimal risk.
Not providing optional root access on GOS makes it only useful if you have a constrained application in mind for the phone. I don't have time to compile GOS with root so I just use LineageOS instead.
Yes, I'm sure it is. But I don't consider that a tolerable tradeoff, and I believe we could have a system that has most of the best of both worlds.
Would this have been easier or more possible if Android had a full capability-based security model?
> If you have the UI layer able to grant root access, it has root access itself and is not sandboxed. If the UI layer can grant it, an attacker gaining slight control over it has root access. An accessibility service trivially has root access. A keyboard can probably get root access, and so on. Instead of a tiny little portion of the OS having root access, a massive portion of it does.
Android has an established way to handle permission dialogs that require the user to confirm their approval, including use of fingerprint/PIN/password to authenticate. If it's good enough to unlock and decrypt the device, it's good enough to control root access. Besides which, I think
> An accessibility service trivially has root access.
is hitting https://xkcd.com/1200/ ; an a11y service already has access to everything inside the sandbox (including all your sensitive data), and the system settings that control permissions and sandboxing.
> In the verified boot threat model, an attacker controls persistent state. If you have persistent root access as a possibility then verified boot doesn't work since persistent state is entirely trusted.
I'm tentatively willing to agree, but I don't see the point? 1. If an attacker controls persistent state, don't they already control all the other permissions, including what security domains exist and what permissions are given to apps. 2. You don't have to persist it; even just one-off root access is quite useful.
> A userdebug build of AOSP or GrapheneOS has a su binary and an adb root command providing root access via the Android Debug Bridge via physical access using USB. This does still significantly reduce security, particularly since ADB has a network mode that can be enabled. Most of the security model is still intact. This is not what people are referring to when they talk about rooting on Android, they are referring to granting root access to apps via the UI not using it via a shell.
Agreed, that's not what I want.
And, I still haven't been able to get it to properly support Google Fi, wherever I switch profiles it confuses the carrier and my access gets reset.
My solution has been to have two phones, one with Google Fi that I use to hotspot my Graphene device. Everything else seems to work fine on Graphene, including Uber and maps and calendar and VPNs and isolated profiles for gaming vs work vs socializing, etc
Note Google Maps used to work without sandboxed Google Play without account-based functionality and it having a hard dependency on Google Play happened around a year ago or so.
Google Play Services is a dependency for some apps, and GrapheneOS allows for people to take steps to protect their privacy while still being able to use those apps.
First, with GrapheneOS google play services run in a sandbox like any other app. (play services have more privileged access in vanilla android)
It also works well with a multi-user setup. The default account in Android is the "owner account" and in GrapheneOS (and AOSP) you can use the owner account to create multiple distinct user accounts on the device. Then, you can only install google play services in one user account. Google play services won't start if you're not logged into that user account.
Google play services won't have visibility into your other user accounts and what you're doing there. And even in your account with play services installed, there's a bit more privacy because of the sandboxing (although I believe google play will know all of the apps installed in that user account)
There's a full explanation here: https://grapheneos.org/usage#sandboxed-google-play
Edit: I am a web security researcher and longtime user of GrapheneOS and have always been impressed by the features, frequent security updates, and focus on usability, security, and privacy. They've upstreamed numerous security improvements to Android and other open source projects (so if you're running Android, they've probably made your phone more secure!).
https://grapheneos.org/faq#upstream
I encourage folks to join me in making a regular small donation to the project if you have some cash to spare. They're doing good work.
* If an app wants to access your contacts, you can choose which contacts, and you can choose to feed them a "fake" list (which is an empty list). Same for storage.
* You can choose not to give network access to an app, and the system will tell the app that there is no signal all the time.
The other very nice feature is that the Google Play Services and Play Store aren't running as system apps (i.e. they don't have root access): they just run like any other app. So you can choose not to share your contact list with them, for instance.
I don't think most people use Google services out of choice anyway, but more because sometimes that's the only way to get functionality you may need.
Google apps are still in a sandbox.
Location services and other features can be provided by non-Google services.
I know the OS itself isn't siphoning data; With my Oneplus 12 I had to check both Google and Oneplus configs to make sure I wasn't leaking anything.
I can disable network access for apps.
I can limit app access to Contacts and files with "scopes". For example, I have Whatsapp for only a few known people. Whatsapp demands access to your contacts. I can set up a scope called "Whatsapp Users", add only my friends to it, and then give Whatsapp Contact access to that scope.
The recommended app is "Shelter". https://f-droid.org/en/packages/net.typeblog.shelter/
Secondary users, work profiles and Private Spaces are standard Android features but GrapheneOS does provide improvements to secondary users and Private Spaces such as control over clipboard sharing with a Private Space, enabling having a Private Space for each secondary user, cross-user notification forwarding, etc. https://grapheneos.org/features has a good overview of most (not all) GrapheneOS features.
Loving it.
Also, does this let you setup very restricted accounts like something for my parents so they can't go installing malware from the play store? (Parental controls are week in play store and malware rated for everyone in "weather" apps and the like)
It's easy to set things up far less efficiently on GrapheneOS. As an example, Signal's WebSocket push fallback when Firebase Cloud Messaging is unavailable via Play services is quite inefficient. There's the Molly fork of Signal with support for UnifiedPush which has efficient alternatives to FCM, but since Signal's server doesn't support it this requires a MollySocket server to convert to UnifiedPush. There's at least one public provider. If you simply use FCM as you do on the stock OS then you wouldn't have any extra battery drain from running multiple often less efficient push implementations. It's common to want to avoid FCM to the extent possible, so people often do set things up less efficiently, but it's not because of GrapheneOS.
> Also, does this let you setup very restricted accounts like something for my parents so they can't go installing malware from the play store? (Parental controls are week in play store and malware rated for everyone in "weather" apps and the like)
You can use user profiles for this as you can on standard Android. If you want parental control software for those profiles, that's something you need to install. It's supported, but GrapheneOS is not going to specifically provide parental control and monitoring features rather than only the standard device/profile management APIs usable for it.
This doesn't however, prevent your parents from installing it again (it is installable from the GrapheneOS app store and therefore relatively easy to install), and then going nuts with installing whatever malware their storage can hold.
The user profiles was slow to set up and not having shared filesystem between the user profiles creates friction. But I love that I can effectively sandbox my work apps, sandbox the Zuck apps etc, with different VPN profiles for each user.
Getting a burner google account (for gplay services) is a PITA if you are determined to get a clean slate from Googles tracking. Gplay is the only safe way to get certain apps at the moment, and make certain apps pass the device integrity checks.
I suspect one of the biggest barriers to mass adoption will be the fact that tap to pay doesn't work. IIUC apple/google pay are generally considered a privacy and security improvement over physical cards, since you don't give every merchant your actual card number.
Overall love the project and really nice to see such high quality open source software.
It's worth noting this is a standard Android feature along with work profiles and Private Space which are nested in another user. Private Space has built-in sharing functionality and work profiles can have it via the management app.
GrapheneOS enhances user profiles and Private Space but doesn't add the baseline features.
> I suspect one of the biggest barriers to mass adoption will be the fact that tap to pay doesn't work. IIUC apple/google pay are generally considered a privacy and security improvement over physical cards, since you don't give every merchant your actual card number.
Curve Pay, PayPal tap-to-pay and a bunch of European banks provide tap-to-pay support. Google Pay doesn't allow GrapheneOS but works on it on a technical level so if it was tricked into believing it was an old stock OS device, it would work, but that's not something feasible to keep working as they don't want to allow it.
But there are some exceptions out there so you need to be more specific.
Although, keep in mind, this is subject to change. All they need to do is just introduce the requirement in an app update, and then you're screwed.
Reminder: It forces you to use hardware suspected as compromissed from Google. Even this same month they were advocating you to use Tor, a VPN created and sponsored by the same agencies trying to get your private data.
Read other comments here, many others will point out the obvious red flags. It isn't spontaneous either that every day or so there is an article about this distro.
Don't fall into this trap, there are other options out there that deserve your attention.
GrapheneOS doesn't advocate use of Tor. See https://nitter.net/GrapheneOS/status/1945623621457600929#m You have gone on a quest to criticize GrapheneOS across social media just because a GrapheneOS moderator shared a screenshot for the TorVPN app : https://primal.net/e/nevent1qqstmnf2qj09j7t2gthgdhr72ghmvn08...
My conclusion is "It seems every single day there is a new disingenuous comment on GrapheneOS-related posts from you based on a heavy misportrayal of a social media post made on the personal account of a GrapheneOS moderator. It isn't spontaneous. Don't fall into this trap."
Unfortunately, now that CalyxOS has died, the other choices are all forks of LineageOS (Iodé, /e/). The long-term hope is for a non-Google Linux system with all of Android running in a sandbox (something like Waydroid), but that's not ready for everyday use yet.
I know the reasons are technical, but still, it means I have no interest in it as somebody who is actively de-googling myself.
Note that Google is in active talks with an major Android OEM for a few months already to help them meet the requirements for a subset of their future devices. They are very optimistic about that.
* The community is unnecessarily toxic from what I've seen: there's a lot of following dogma without asking "why". It leads to this very insular userbase that often turns outwardly toxic towards other projects, which is an issue that goes forever unfixed (ie. This post on the F-Droid forums originally was far more aggressive towards the F-Droid project before moderators edited it to be less aggressive: https://forum.f-droid.org/t/google-will-require-developer-ve... ). Other, older places I've seen this come "from the top" include hostile relicensing of Vanadium's patches to prevent other Chromium forks from making use of them.
* Instead of blockading SafetyNet as being a user hostile solution, GOS instead... implements their own version of it. Which is hard to see as anything other than basically recreating the same walled garden you get on stock Android.
* Pixel exclusivity is dumb and remains dumb. Pixels are very mediocre devices from a usability angle; they're large, have pretty inefficient battery life and in my experience are prone to becoming hot very easily. (I also managed to randomly brick one during a routine stock system upgrade, so there's that; not on GOS obviously, just noting that the Google side of the flagship Android is pretty lackluster too.) There's also a forever hypocrisy in defeating Google spying... by giving more money to Google. The motives for this seem to mostly be tied to a promise about the Pixel's security chip being open sourced eventually, but this is a forever promise Google isn't willing to cash out on. GOS has a token line on their site saying that most patches can be used on other OSes with little effort, but there's zero effort from any community to actually make these. (The reason for this can be blamed squarely on point 1; there's an insanely hostile reaction to anyone trying to do a fork for this sort of thing, which is basically enabled by the lead devs because of what they did w/ the Vanadium license.)
* Finally, GOS doesn't let you do hosts based adblocking, instead encouraging you to use the Android VPN service instead. A simple solution... that isn't really realistic because the Android VPN service only covers running one VPN at a time, meaning you have to pick between adblocking and privacy/accessing your own internal network.
Finally, a broader problem is that from what I can tell, GOS as a project doesn't quite grasp the relationship between app developer and app user and how it's become toxified over the years. Things like their ongoing signing beef with the F-Droid project (an incredibly niche issue that doesn't matter for most users) suggest to me that GOS is at best extremely naive/unrealistic on the issues that affect app usage for the common user. The problem these days is usually the developer going bad, not a third party.
Pixel is better hardware based on project's security requirement. you're simply wrong here.
Most of what you're complaining about are upstream Android limitation and problem.
I'm a GrapheneOS community moderator and I would disagree with this take. If people have issues with the community and feel that they can't ask "why" then a moderator should help with that. I can assure you we've had talks with "supportive" community members who cause problems. Being supportive of the project doesn't mean they can get away with acting rude towards others.
As for the F-Droid post, I never even heard of that post. I don't recognize the username of the user who posted it either. I guess I won't be able to see the original aggressive post, but either way just because someone is a fan doesn't mean the rest of our community is toxic.
> Instead of blockading SafetyNet as being a user hostile solution, GOS instead... implements their own version of it.
SafetyNet was depreciated, so you must be talking about Play Integrity. We don't reimplement Play Integrity, but rather have Sandboxed Google Play, and have even taken steps to reduce its effect on GrapheneOS users, notably optionally blocking API attempts or returning a server error (I forget) and blocking Google-injected code from running in apps that have automatic protection enabled in the Play Developer Console.
Outside of some workarounds, apps that expect Play Integrity verdicts can refuse to run if they choose to. Blocking things won't change that. Spoofing is also not practical because Google can and will break spoofing every time, especially since GrapheneOS has so many users. They already do that for people who root and use various spoofing methods.
> Pixel exclusivity is dumb and remains dumb.
Only Pixels meet the project's requirements as of now. GrapheneOS is in talks with a major OEM for them to get a few of their devices to meet the project's requirements and have official support for GrapheneOS. If all continues to go well, we expect it'll be 1-2 years before this happens.
> GOS doesn't let you do hosts based adblocking
There are apps and VPNs that can do this kind of thing.
> GOS as a project doesn't quite grasp the relationship between app developer and app user and how it's become toxified over the years > The problem these days is usually the developer going bad, not a third party.
The way you're talking here and your mention of F-Droid earlier leads me to believe you're a supporter of F-Droid. The project's advice is just that: advice. People are free to ignore that advice.
GrapheneOS is far from the only group that talks about issues with F-Droid. I don't personally know of all the issues with F-Droid, but as I understand it they use out of date servers, out of date build environments, and other similar issues. Also, they don't actually audit code at all, so developers can still sneak changes past them as long as the developers' changes aren't caught by their basic scanning. There's even the case where the WireGuard developer made changes that break F-Droid's terms of use or something like that. They were making those changes very much in the open and the F-Droid team didn't even notice. If a developer was trying to hide malicious changes, they could easily do that. No, we still have to trust developers. F-Droid is just another trusted party, and they don't deserve that trust considering all the issues they have.
They have not said anything like that. In fact there are plenty of things about the current GrapheneOS + Pixel end result that they would change if they had the resources and support to do so. They have repeatedly praised or highlighted improvements in iOS and other less mainstream operating systems.
QubesOS is a completely different project with different goals and constraints. GrapheneOS have praised the isolation model of Qubes repeatedly, but have always said it is a strong approximation of many laptops. Older laptop operating systems (Windows/macOS/desktop Linux distros) do not aim to provide similar protections against threats that the newer mobile operating systems have done.
>They have not said anything like that.
Quote (https://news.ycombinator.com/item?id=30769666):
> Librem 5 has incredibly poor hardware/firmware security and it isn't possible for us to work around that at a software level. It's missing the basic hardware and firmware security features that are required.
The reality is that Librem 5 is secure according to a different threat model than the one GrapheneOS follows. This doesn't make it "incredibly" insecure, unless you believe that only you can define good threat models.
GrapheneOS is focused on privacy and security overall including protecting applications and the OS from exploitation in general. GrapheneOS does use sandboxing and compartmentalization to improve security. Hardware-based virtualization is one of the GrapheneOS hardware requirements (https://grapheneos.org/faq#future-devices) and is used through Android's virtualization framework. It's provided by pKVM on Pixels and Gunyah on Snapdragon. Making more use of virtualization beyond isolating system services via microdroid and running a desktop OS via Android's virtual machine management app (Terminal) is planned and being gradually worked on. It's part of what we work on overall, not the whole picture or primary focus. It will be a bigger focus over time as hardware improves to make it more viable.
Smartphones didn't have a lot of memory for virtualization until recently and GrapheneOS needs memory for other protections too. The Pixel 6 was the first Pixel with CPU hardware virtualization support and the Pixel 10 is the first with native GPU hardware virtualization support not requiring proxying to the host for GPU acceleration. Secure GPU acceleration is quite important for making it into a highly usable feature, especially on a phone, so the hardware was not ready yet and still isn't on most other devices. QubesOS largely doesn't have that available either, but laptop or desktop hardware is more powerful.
Why would you need that if you don't run any untrusted apps in a trusted VM? Also, you don't have any private information in the untrusted VMs. It might only be helpful in the context of security in depth, but this barrier for attackers is much lower than the virtualization itself.
> data extraction in the After First Unlock state
By whom? A physical attacker?
> Hardware-based virtualization is one of the GrapheneOS hardware requirements
Qubes doesn't force the user to have it. Could GrapheneOS also allow using devices which don't support it? It would make millions of people more secure, not less. And it would make GrapheneOS more popular, too. You could name it "GrapheneOS lite" if you're afraid of a false security message.
> Applications and guest operating systems are just as vulnerable to exploitation
Which exploitation? Where would it come from?
I think protecting people from themselves is a noble goal that is often overlooked, even if many will disagree with me.
Indeed, this is where we disagree. "If you are protected by a steel door, but you don't have the key, you aren't safe: You're imprisoned."
I still enjoy Harry Potter despite controversy around what J.K. Rowling has said on some topics.
0. https://web.archive.org/web/20250123135603/https://github.co... 1. https://www.youtube.com/watch?v=Dl1x1Dy-ej4
fwiw, Louis Rossmann's employer/key supporter has disbursed grants to GrapheneOS and associated projects.
> Plenty of people have asked for this feature on GitHub
The issue has been deleted, but from the archive, (assuming the "lead developer" jab is aimed at Daniel) Micay says, "This is an issue that's going to be fixed and not a reason to change this." Then goes, "Please use reactions on the top level issue instead of adding comments expressing support for a change. You're sending unnecessary emails to the project developers."
As someone who maintains rather unremarkable FOSS projects, saying NO to feature requests is not at all easy in that it irks the community to no end, let alone one as large as Graphene's. Everyone is quick to reach all sorts of conclusions and pass judgements.
> ... the way the lead developer responds makes it look like there are some serious unresolved mental issues at play
afaik, there's 3 directors (also developers, from what I can tell) who steward GrapheneOS. Don't suppose they are all "mental"?
https://www.canadacompanyregistry.com/companies/grapheneos-f...
> FUTO made a $40k donation to GrapheneOS supposedly with no strings attached. They ended up being unhappy with us not making content with them and promoting them.
Don't post another link or quote from anywhere else. You provided that link as evidence and I want to see specifically what it is you expect people to take from it.
I don't use call recording and also don't care about some guy I've never heard of ranting for 18min about some pointless comment he made on youtube causing drama (but I do care about NFC payments so that's why I haven't tried GrapheneOS yet).
It's a communication issue at the core, and always doubling down is not making it any better.
It portrays the whole project as being unreliable.
Many people enjoy participating in harassment towards an open source developer when they have a disagreement with the project such as our requirements for accepting a pull request for automatic call recording. We've said we won't accept it without showing that it's active so that people are aware calls are being recorded when it's enabled. That's more than enough for some people to participate in harassment.
Hacker News shouldn't be permitting it over and over again.
What I see here is someone who wants a feature, a feature that many people want, but it hasn't been added for reasons listed in the GrapheneOS issue tracker. No one was rude or anything there in that link you shared that I can see.
> the lead developer responds makes it look like there are some serious unresolved mental issues
To say something like this is extremely out of line.
> Louis Rossmann’s video
What you fail to mention here is incredibly important context, but leaving that out conveniently supports the narrative that Daniel is crazy. Biggest fact there is that he had just been swatted multiple times. Louis commented on another harassment video and Daniel was understandably upset. By the way, the swatter had been in contact and even told GrapheneOS project members that they were a fan of the YouTuber who made the first video. So, attempted murder by some other person, a "friend" was supporting harassment content making him out to be "crazy" and comments on that video showing support for it, then, knowing that, Louis records a video of a private conversation in real time. The video itself was filled with lies and misrepresentations. Even the title was a lie because Rossmann continued to use GrapheneOS for long after that video was released.
Not to mention the fact that targeted updates aren't even possible on GrapheneOS considering how updates work and the infrastructure. Louis may not understand these things, but even though we and others have pointed this fact out multiple times, the video remains up. The video is clearly meant to do one thing: damage or destroy GrapheneOS.
That post has been deleted.
As far as I can tell, nothing has changed other than obscuring the leadership of the project a tiny bit. strcat is still active here in the comments.